'CISOs Should Know How To Make Risk Mgmt Profitable'

Risk management and information security are highly debated topics in CIO and CISO circles. Information risk management is often weighed only from a cost perspective; however; the business growth and reputation angle plays a much larger role in this scenario. Biztech2.com spoke to Vishal Salvi, CISO-HDFC Bank, on the strategy a CISO should adopt to generate revenues from the risk management roadmap.

How can a CISO drive business growth by ensuring better risk management practices?

The purpose of the Information Security & Risk Management function is to allow business to run with minimal risks. The customer has a choice and security is already becoming a key differentiator. Especially in the banking business when we deal with our customer’s money, we need to ensure that the customer’s privacy and money are both safeguarded.

More from Biztech

Future Group - Reliance Retail Deal approved by CCI RBI ban on cryptocurrencies takes effect; prohibition could force investors to tap the black market

The second important aspect is business confidence; a robust information security platform provides the thrust to business to offer different types and flavours of products to customers only because you are assured of security controls.

To give you an analogy, a car with a better break system would go faster than others and that’s why F1 cars have the strongest breaks. Therefore, for business to grow faster, you need to have a robust risk management process in place.

What challenges does a CISO face in the above process?

The inherent characteristics of information security make it such that it is visible only when it is not working and invisible when it is working. So how do you prove the derived value? I, therefore, feel that CISOs have an important role to play to ensure that they get their risk assessment spot on, as we are investing to assure that bad things do not occur and it could either be because of the good controls being implemented or you were plain lucky and not a target.

Secondly, business integration and understanding is a key for success. As the security function has evolved through IT, there is still a tendency to be more technology focused and less business focused. This needs to change if we want to see information security help business growth.

Awareness and consistent understanding of one’s role pertaining to information security is also a significant challenge. If people knew and practiced their part, the number of security issues would be far lesser.

What should the CISO do to overcome these challenges?

The primary role of the CISO is that of a change agent, thus, building a culture of information security and making people realise and experience the value created by information security lies in the hands of the CISO. He should regularly brief and inform the business on the potential risks averted due to the security solutions in place. This includes quantifiable inputs and examples like how many viruses, malware etc were stopped in the past month. What would have been the potential downtime if they had hit the system? Communication with the business is important at all times. A few pointers for success are as follows:

1. Build a holistic framework with a clear vision on what are the strategic as well as tactical goals.

2. Be flexible and adaptable; do not expect overnight changes.

3. Retain your technology base [traditional stronghold] but engage with business more.

4. Align compliance requirements to your strategy and vice versa.

5. Build a comprehensive and continuous awareness strategy.

6. Collaborate with industry peers and share ideas and concepts.

7. Measure success and share success stories.

Can you give us some examples of the risk management initiatives undertaken at HDFC Bank?

As mentioned above, the aligning of risk management and compliance needs is the key. At HDFC Bank, all the regulation and compliance requirements have been consolidated into one single information security policy document, which has links to the different frameworks/ regulations. With this arrangement, users have to refer to only one single policy document and hence, it becomes simple as well as cost effective to manage and implement the controls.

Robust risk management processes and metrics are important to understand what is happening and which are the areas that need improvement. The CISO’s approach needs to shift from threat & vulnerability assessment to holistic risk management.